Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

APT Attackers Flying More False Flags Than Ever

Investigators continue to focus on attack attribution, but Kaspersky researchers speaking at CanSecWest 2016 caution that attackers are manipulating data used to tie attacks to perpetrators.

With every APT report there comes the gnawing question of whodunit. Just this week, a Reuters report linked a spree of ransomware attacks against U.S. companies to state-sponsored hacker groups in China.

Most reports, however, offer no tangible evidence other than technological footprints that can easily be faked, or are intentionally deceptive.

“People use a lot of things for attribution: timestamps or language strings, for example,”Guerrero-Saade said. “What we want to say is that there are ways to manipulate and mess with all these things. That’s one of the key reasons not to get hung up on attribution because advanced attackers have begun to manipulate these things on purpose.”

Many APT campaigns have been linked to China, Russia, North Korea, the U.S., and Middle Eastern interests, with targets as varied as the tactics and malware used by the respective groups. Most of the attribution comes from clues in the code. Things such as consistent compile times, for example, could indicate a routine workday for a part of the world. But there’s nothing stopping an attacker from intentionally setting their clocks to the wrong time, or including numerous language strings in their malware code, all as a means of frustrating analysis.

The CloudAtlas APT group, for example, emerged in late 2014 and used the same spear phishing lure as did the Red October group discovered by Kaspersky Lab a year earlier. It relied on some of the same exploits and even hit some of the same targets as Red October.

“A lot of things they did caused researchers to scratch their heads,” Bartholomew said, pointing out that the group sent Spanish-language documents to Russian targets, Arabic strings were found in their malware targeting BlackBerry mobile devices and Hindi strings in their Android malware. “Their command and control infrastructure used routers in South Korea, and they were deploying Chinese malware at some point.”

Other groups such as the Lazarus Group, which has been linked to the Sony attacks and other intrusions using destructive wiper malware, have also tried to falsely connect themselves with other hacktivist groups in order to move analysts in the wrong direction.

“The reasoning is plausible deniability,” Bartholomew said, pointing to, among others, the Sofacy APT group, which has been linked to attacks against NATO allies, Ukraine and other Eastern European nations, each with its own signature and attributes. “All of this helps these groups buy some time to cover their tracks.”

While attribution makes for sexy headlines, it has much more value to governments and military investigators than necessarily to an enterprise, which may be much more interested in getting attackers off their networks and retrieving lost data or intellectual property.

“The government needs the most fidelity if it’s doing attribution,”Guerrero-Saade said. “If it’s pursuing sanctions or indictments, it needs to go as deep as possible.

“In the private sector, a lot try to do that, but the reality is that level of attribution is not needed. It’s sexy to talk about, but the reality is they need country-level attribution, especially in countries where they do business. Focus on countries and motivations.”

The government, also, has better visibility and resources into attacks than most of the private sector, but is usually reticent to share intelligence. That leaves a sizable number of APT reports from vendors, academics and research organizations that too often rely on things such as timestamps, infrastructure, malware families and passwords to concoct attribution—all of which can be faked or tweaked, Bartholomew said.

“If you’re off track, you could have wasted weeks researching nothing. You lose all that time,” Bartholomew said of the chase for attribution. “You end up going down rabbit holes that have no bottom.”

Discussion

But at the same time, there are still plenty of groups out there who don't care about obfuscation or attribution, or even hiding at all. There's a Chinese group hitting a major NGO that is still using the same tools, domains, and even some IPs that they've been using since 2013. I even publicly marked all the domains and IPs as APT way back in June and they made no effort to hide or use new infrastructure.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.